Active Directory Users with OSX Preferences

[LDSK]

I have the following setup:

1. Active Directory Server (2000)
2. Macintosh 10.4.x client
3. Macintosh 10.4.x Server (Open Directory)

I would like to login to my OSX client with my Active Directory user. I am able to login to Active Directory from the client, but need to use the Macintosh 10.4 Server to ‘tighten down’ preferences (enable Simple Finder, disable System Preferences, etc.) I need to be able to do this without using third party software.

I have been given this assignment, and it is outside of my scope of knowledge. I don’t know much about Active Directory or Open Directory in order to troubleshoot some of the problems that I am having.

I would be grateful to anyone who can explain this more clearly for me!

[LDSK]

I have read the white papers and have spent two days googling. Most of the concepts are beyond me…

[Arte]

I just did something similar. The steps are as follows:

1. Make the OSX Server an OpenDirectory Master
2. Bind The OSX Server to your AD domain to get the users
3. Create a group on the OSX Server in OD (i.e. Mac Users)
4. With WGM put the Mac users from AD into that Group
5. With WGM Manage Preferences for that Group
6. In addition to AD bind your mac clients to OD by adding your OD as an LDAPv3 server

For step 2 use Directory Service and bind the Server like you did with the clients.

For step 3 you need to switch to /Active Directory/All Domains in WGM.

Now the client gets the auth info from AD but will also query OD for information and find that its in the mac users group which is managed.

Arte.

[LDSK]

Very awesome — thank you SO much for breaking it down like that.

I was able to add the group and configure permissions for the group (with all of the AD users) and not get an error (like last time).

I have added the OD server to LDAP, and bind clients to AD, but when I login the permissions have not taken affect.

[LDSK]

Very awesome — thank you SO much for breaking it down like that.

I was able to add the group and configure permissions for the group (with all of the AD users) and not get an error (like last time).

I have added the OD server to LDAP, and bind clients to AD, but when I login the permissions have not taken affect.

[matx]

As long as the clients are bound thru Directory Access to both servers (AD and OD) and the prefs are managed on the OD server then it should work. Try a restart on clients to make sure they get the mcx managed prefs. Also, are you managing prefs by computer, user or group? Try some tests of all three, and see what sticks.

[slazar]

Add the OD server to the LDAPv3 configuration, but don’t enter any credentials when it shows you the computer name. This causes it to be an anonymous connection (unbound) and the preferences will show up more consistently.

[Arte]

Out of a sudden I have a strange problem with my mobile clients. Whenever the screen locks or they reboot or try to unlock a pref pane it takes ages to unlock or even show wrong password.

This happens whenever the clients are not in out normal environment (like at home or somewhere else). I have entered the OD server as IP adresse and have short timeouts. I have not been able to find out where exactly it hangs. Any hints?

[Author]

Posts